Despite the effort required by company-specific and normative cybersecurity requirements, companies should ask themselves who the attacker could be, what their goals are and how they could proceed. The answers enable more effective defensive measures.